Vulnerability Management Best Practices

In 2018, network vulnerabilities accounted for 81% of all company security breaches. On top of that, it takes on average up to 69 days to patch a critical web application vulnerability and 65 days to patch a similar vulnerability for an internal network. In this context, it would be safe to say that strong vulnerability management is one of the most important cybersecurity measures for managed services providers (MSPs) to implement for their customers.

Implementing new vulnerability management systems can be a challenge. There are many moving parts, from technical processes to policy implementation. By using the vulnerability lifecycle model as a roadmap, you can implement vulnerability management best practices to protect your customers’ networks from emerging security threats.

What is vulnerability and patch management?

Vulnerability management is the practice of identifying, mitigating, and repairing network vulnerabilities. Organizations use vulnerability management as a proactive process to improve security in company applications, software, and computer networks. When implemented well, vulnerability management can help an organization be significantly safer from security breaches and data theft.

Similarly, patch management is the deployment of a computing patch to repair a network vulnerability. A patch is a set of changes made to a program that is designed to update, fix, or improve its functionality. Handling this process well is crucial, as over 80% of security breaches are a result of poor patch management.

Before jumping into the specifics of vulnerability management and best practices, it’s important to understand the distinctions between vulnerabilities and security risks, since the terms are often conflated. A security risk describes the potential for loss, damage, or destruction of an asset. A vulnerability describes a specific weakness an attacker can exploit to perform unauthorized actions within a computer system. Although risks take vulnerabilities into account (and evaluate them alongside threats and assets), they are not one and the same. Understanding this difference, and explaining it to your customers, is the first step in improving security practices.

Other important terms to understand in this area of cybersecurity are threats and assets.

Assets are usually intellectual property, information, and sometimes people—any item that can be assigned a value. Sometimes these are intangible things like a person’s reputation or proprietary information. Generally, customer assets may be things like databases, software code, or important company records. Likewise, threats can be described as anything that can exploit a vulnerability and obtain or damage one of these assets.

What is the vulnerability management lifecycle?

The vulnerability management lifecycle describes the specific steps that need to be continually addressed in vulnerability management. Specifics will vary from organization to organization but there are several elements that will be relevant and useful for most MSPs:

• Discover: Know where network weaknesses are
• Prioritize: Categorize assets into groups and assign a value based on how critical they are to your customers’ operations
• Assess: Evaluate your customers’ willingness and ability to take risks based on asset criticality and potential threats
• Report: Measure the level of risk associated with your customers’ assets according to their organizations’ security policies
• Remediate: Prioritize and fix vulnerabilities in accordance with their assigned risk
• Verify: Ensure that threats have been eliminated

If you address all of these steps in your vulnerability management service, you have the best odds of keeping your customers’ networks protected.

What is the vulnerability management process?

The vulnerability management process takes into account the above mentioned management lifecycle and uses it as a guide for action. Here are some primary processes you should help your customers implement to improve their vulnerability security and keep their networks protected:

• Check for vulnerabilities: Network scans, firewall logs, and penetration testing are all important vulnerability management tools for locating any weak points customer networks may have. You should use these tools on a regular basis and consider automating them if possible.
• Identify the vulnerabilities: Using the data generated from the logs, tests, and scans, you can locate any anomalies that might suggest foul play on your customers’ networks (malware attacks, suspicious activity, etc.).
• Verify the vulnerabilities: Determine if the identified vulnerabilities have the potential to be exploited on servers, applications, networks, or other systems.
• Mitigate vulnerabilities: If a patch cannot be issued quickly or if there is no patch solution for a given vulnerability, you will need to come up with placeholder solutions for your customers and their assets. You might consider taking the affected part of a system offline or otherwise quarantining an attack.
• Patch vulnerabilities: Once you’ve identified a vulnerability and assessed that it poses a serious risk, it’s time to patch. Patches can usually be obtained or purchased from the vendors of the affected software or hardware. Try to schedule patching so that it doesn’t interfere with user activity, if possible.

How to Improve vulnerability management strategy

All of the actions proposed by vulnerability management processes address the concerns and steps laid out by the lifecycle model, but they are not the only actions MSPs can take to improve their vulnerability management services. Here are some additional best practices we recommend you implement for customers.

First, invest in your penetration tests services as much as possible so you can improve the discovery of weaknesses in your customers’ networks. This is the first step of the lifecycle model and if it’s not done well, it will severely limit the success of your vulnerability management efforts. Penetration techniques are used to evaluate the safety and security of a network in a controlled manner. If you want to offer your customers the best odds of locating their vulnerabilities in their networks, you’ll need to make sure your testing services are top notch.

Second, one of the best ways to prioritize and assess your customers’ assets is to inventory their systems. It can help to identify deployed technologies that might be putting their systems at risk. One of the things you can do to help customers in this endeavor is to classify their network assets by platform. You should also identify which defensive tools are already in place.

Employing a vulnerability management service would be moot without offering sufficient patch servicing as well. After all, patching is often the only way you can remediate the identified threats to customers’ vulnerabilities. Because patching is complicated and tedious, most small and medium-sized businesses can’t run them themselves. This increases the demand for effective patch management on the MSP’s side, and as that demand rises, you will need to improve on your own services or risk falling behind the competition. One way to do this is to consider using an automated patch management solution, which can help you stay on top of your many customers’ ongoing updates and network scans.

Without a vulnerability management program in place, your customer’s network security will be blind to potential threats. Although introducing a new vulnerability management process within a customer’s organization can be challenging, it’s made easier by following the lifecycle model closely. Implementing the cycle’s guidelines will help you deploy an effective vulnerability management service for your customers’ computer systems. Explore our product suite for additional vulnerability management capabilities and services.